This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Testing for Session Management Schema (OTG-SESS-001)"

From OWASP
Jump to: navigation, search
(How to Avoid Session Management Vulnerabilities)
 
(32 intermediate revisions by 11 users not shown)
Line 1: Line 1:
{{Template:OWASP Testing Guide v3}}
+
{{Template:OWASP Testing Guide v4}}
  
== Brief Summary ==
+
== Summary ==
In order to avoid continuous authentication for each page of a website or service, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan.<br>
+
In order to avoid continuous authentication for each page of a website or service, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan. These mechanisms are known as Session Management and while they are important in order to increase the ease of use and user-friendliness of the application, they can be exploited by a penetration tester to gain access to a user account, without the need to provide correct credentials.  
These mechanisms are known as Session Management and, while they're most important in order to increase the ease of use and user-friendliness of the application, they can be exploited by a pen tester to gain access to a user account, without the need to provide correct credentials. In this test, we want to check that cookies and other session tokens are created in a secure and unpredictable way. An attacker that is able to predict and forge a weak cookie can easily hijack the sessions of legitimate users.
 
[[Category:FIXME|Is it ok to say pen tester, or should it always be penetration tester?]]
 
<br>
 
  
==Related Security Activities==
 
  
===Description of Session Management Vulnerabilities===
+
In this test, the tester wants to check that cookies and other session tokens are created in a secure and unpredictable way. An attacker who is able to predict and forge a weak cookie can easily hijack the sessions of legitimate users.
  
See the OWASP articles on [[:Category:Session Management Vulnerability|Session Management Vulnerabilities]].
 
  
===Description of Session Management Countermeasures===
+
Cookies are used to implement session management and are described in detail in RFC 2965. In a nutshell, when a user accesses an application which needs to keep track of the actions and identity of that user across multiple requests, a cookie (or cookies) is generated by the server and sent to the client. The client will then send the cookie back to the server in all following connections until the cookie expires or is destroyed.  The data stored in the cookie can provide to the server a large spectrum of information about who the user is, what actions he has performed so far, what his preferences are,  etc. therefore providing a state to a stateless protocol like HTTP.
  
See the OWASP articles on [[:Category:Session Management|Session Management Countermeasures]].
 
  
===How to Avoid Session Management Vulnerabilities===
+
A typical example is provided by an online shopping cart. Throughout the session of a user, the application must keep track of his identity, his profile, the products that he has chosen to buy, the quantity, the individual prices, the discounts, etc. Cookies are an efficient way to store and pass this information back and forth (other methods are URL parameters and hidden fields).
  
See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Session Management|Avoid Session Management]] Vulnerabilities.
 
  
===How to Review Code for Session Management| Vulnerabilities===
+
Due to the importance of the data that they store, cookies are therefore vital in the overall security of the application. Being able to tamper with cookies may result in hijacking the sessions of legitimate users, gaining higher privileges in an active session, and in general influencing the operations of the application in an unauthorized way.
  
See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Codereview-Session-Management|Review Code for Session Management]] Vulnerabilities.
+
In this test the tester has to check whether the cookies issued to clients can resist a wide range of attacks aimed to interfere with the sessions of legitimate users and with the application itself. The overall goal is to be able to forge a cookie that will be considered valid by the application and that will provide some kind of unauthorized access (session hijacking, privilege escalation, ...).  
  
==Description of the Issue==
 
  
Cookies are used to implement session management and are described in detail in RFC 2965. In a nutshell, when a user accesses an application which needs to keep track of the actions and identity of that user across multiple requests, a cookie (or more than one) is generated by the server and sent to the client. The client will then send the cookie back to the server in all following connections until the cookie expires or is destroyed.  The data stored in the cookie can provide to the server a large spectrum of information about who the user is, what actions he has performed so far, what his preferences are,  etc. therefore providing a state to a stateless protocol like HTTP.
+
Usually the main steps of the attack pattern are the following:
 
 
A typical example is provided by an online shopping cart. Throughout the session of a user, the application must keep track of his identity, his profile, the products that he has chosen to buy, the quantity, the individual prices, the discounts, etc. Cookies are an efficient way to store and pass this information back and forth (other methods are URL parameters and hidden fields).
 
 
 
Due to the importance of the data that they store, cookies are therefore vital in the overall security of the application. Being able to tamper with cookies may result in hijacking the sessions of legitimate users, gaining higher privileges in an active session, and in general influencing the operations of the application in an unauthorized way. In this test we have to check whether the cookies issued to clients can resist a wide range of attacks aimed to interfere with the sessions of legitimate users and with the application itself. The overall goal is to be able to forge a cookie that will be considered valid by the application and that will provide some kind of unauthorized access (session hijacking, privilege escalation, ...). Usually the main steps of the attack pattern are the following:
 
 
* '''cookie collection''': collection of a sufficient number of cookie samples;
 
* '''cookie collection''': collection of a sufficient number of cookie samples;
 
* '''cookie reverse engineering''': analysis of the cookie generation algorithm;
 
* '''cookie reverse engineering''': analysis of the cookie generation algorithm;
 
* '''cookie manipulation''': forging of a valid cookie in order to perform the attack. This last step might require a large number of attempts, depending on how the cookie is created (cookie brute-force attack).
 
* '''cookie manipulation''': forging of a valid cookie in order to perform the attack. This last step might require a large number of attempts, depending on how the cookie is created (cookie brute-force attack).
  
Another pattern of attack consists of overflowing a cookie. Strictly speaking, this attack has a different nature, since here we are not trying to recreate a perfectly valid cookie. Instead, our goal is to overflow a memory area, thereby interfering with the correct behavior of the application and possibly injecting (and remotely executing) malicious code.
 
  
==Black Box Testing and Examples==
+
Another pattern of attack consists of overflowing a cookie. Strictly speaking, this attack has a different nature, since here testers are not trying to recreate a perfectly valid cookie. Instead, the goal is to overflow a memory area, thereby interfering with the correct behavior of the application and possibly injecting (and remotely executing) malicious code.
 +
 
 +
==How to Test==
 +
 
 +
===Black Box Testing and Examples===
  
All interaction between the Client and Application should be tested at least against the following criteria:
+
All interaction between the client and application should be tested at least against the following criteria:
 
* Are all Set-Cookie directives tagged as Secure?
 
* Are all Set-Cookie directives tagged as Secure?
 
* Do any Cookie operations take place over unencrypted transport?
 
* Do any Cookie operations take place over unencrypted transport?
Line 51: Line 42:
 
* What HTTP/1.0 Cache-Control settings are used to protect Cookies?
 
* What HTTP/1.0 Cache-Control settings are used to protect Cookies?
  
===Cookie collection===
 
  
The first step required in order to manipulate the cookie is obviously to understand how the application creates and manages cookies. For this task, we have to try to answer the following questions:
+
====Cookie collection====
 +
 
 +
The first step required to manipulate the cookie is to understand how the application creates and manages cookies. For this task, testers have to try to answer the following questions:
  
* How many cookies are used by the application ?
+
* How many cookies are used by the application?
 
Surf the application. Note when cookies are created. Make a list of received cookies, the page that sets them (with the set-cookie directive), the domain for which they are valid, their value, and their characteristics.
 
Surf the application. Note when cookies are created. Make a list of received cookies, the page that sets them (with the set-cookie directive), the domain for which they are valid, their value, and their characteristics.
* Which parts of the the application generate and/or modify the cookie ?
+
* Which parts of the the application generate and/or modify the cookie?
Surfing the application, find which cookies remain constant and which get modified. What events modify the cookie ?
+
Surfing the application, find which cookies remain constant and which get modified. What events modify the cookie?
 
* Which parts of the application require this cookie in order to be accessed and utilized?
 
* Which parts of the application require this cookie in order to be accessed and utilized?
 
Find out which parts of the application need a cookie. Access a page, then try again without the cookie, or with a modified value of it. Try to map which cookies are used where.
 
Find out which parts of the application need a cookie. Access a page, then try again without the cookie, or with a modified value of it. Try to map which cookies are used where.
 +
  
 
A spreadsheet mapping each cookie to the corresponding application parts and the related information can be a valuable output of this phase.
 
A spreadsheet mapping each cookie to the corresponding application parts and the related information can be a valuable output of this phase.
  
===Session Analysis===
 
  
The Session Tokens (Cookie, SessionID or Hidden Field) themselves should be examined to ensure their quality from a security perspective.  They should be tested against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage.<br>
+
====Session Analysis====
 +
 
 +
The session tokens (Cookie, SessionID or Hidden Field) themselves should be examined to ensure their quality from a security perspective.  They should be tested against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage.<br>
 +
 
 +
 
 
* Token Structure & Information Leakage
 
* Token Structure & Information Leakage
 
The first stage is to examine the structure and content of a Session ID provided by the application.  A common mistake is to include specific data in the Token instead of issuing a generic value and referencing real data at the server side.
 
The first stage is to examine the structure and content of a Session ID provided by the application.  A common mistake is to include specific data in the Token instead of issuing a generic value and referencing real data at the server side.
 +
 +
 
If the Session ID is clear-text, the structure and pertinent data may be immediately obvious as the following:
 
If the Session ID is clear-text, the structure and pertinent data may be immediately obvious as the following:
 
<pre>
 
<pre>
Line 74: Line 72:
 
</pre>
 
</pre>
  
If part or the entire Token appears to be encoded or hashed, it should be compared to various techniques to check for obvious obfuscation.
+
 
For example the string “192.168.100.1:owaspuser:password:15:58” is represented in Hex, Base64 and as an MD5 hash:
+
If part or the entire token appears to be encoded or hashed, it should be compared to various techniques to check for obvious obfuscation. For example the string “192.168.100.1:owaspuser:password:15:58” is represented in Hex, Base64 and as an MD5 hash:
 
<pre>
 
<pre>
 
Hex 3139322E3136382E3130302E313A6F77617370757365723A70617373776F72643A31353A3538
 
Hex 3139322E3136382E3130302E313A6F77617370757365723A70617373776F72643A31353A3538
Line 81: Line 79:
 
MD5 01c2fc4f0a817afd8366689bd29dd40a
 
MD5 01c2fc4f0a817afd8366689bd29dd40a
 
</pre>
 
</pre>
 +
  
 
Having identified the type of obfuscation, it may be possible to decode back to the original data.  In most cases, however, this is unlikely.  Even so, it may be useful to enumerate the encoding in place from the format of the message.  Furthermore, if both the format and obfuscation technique can be deduced, automated brute-force attacks could be devised.
 
Having identified the type of obfuscation, it may be possible to decode back to the original data.  In most cases, however, this is unlikely.  Even so, it may be useful to enumerate the encoding in place from the format of the message.  Furthermore, if both the format and obfuscation technique can be deduced, automated brute-force attacks could be devised.
 +
 +
 
Hybrid tokens may include information such as IP address or User ID together with an encoded portion, as the following:
 
Hybrid tokens may include information such as IP address or User ID together with an encoded portion, as the following:
 
<pre>
 
<pre>
Line 88: Line 89:
 
</pre>
 
</pre>
  
Having analysed a single Session Token, the representative sample should be examined.
+
 
A simple analysis of the Tokens should immediately reveal any obvious patterns.  For example, a 32 bit Token may include 16 bits of static data and 16 bits of variable data.  This may indicate that the first 16 bits represent a fixed attribute of the user – e.g. the username or IP address.
+
Having analyzed a single session token, the representative sample should be examined. A simple analysis of the tokens should immediately reveal any obvious patterns.  For example, a 32 bit token may include 16 bits of static data and 16 bits of variable data.  This may indicate that the first 16 bits represent a fixed attribute of the user – e.g. the username or IP address. If the second 16 bit chunk is incrementing at a regular rate, it may indicate a sequential or even time-based element to the token generation.  See examples.
If the second 16 bit chunk is incrementing at a regular rate, it may indicate a sequential or even time-based element to the Token generation.  See Examples.
+
 
If static elements to the Tokens are identified, further samples should be gathered, varying one potential input element at a time.  For example, login attempts through a different user account or from a different IP address may yield a variance in the previously static portion of the Session Token.
+
 
 +
If static elements to the Tokens are identified, further samples should be gathered, varying one potential input element at a time.  For example, log in attempts through a different user account or from a different IP address may yield a variance in the previously static portion of the session token.
 +
 
 +
 
 
The following areas should be addressed during the single and multiple Session ID structure testing:
 
The following areas should be addressed during the single and multiple Session ID structure testing:
 
* What parts of the Session ID are static?
 
* What parts of the Session ID are static?
Line 97: Line 101:
 
* What easily decoded confidential information is stored?
 
* What easily decoded confidential information is stored?
 
* What information can be deduced from the structure of the Session ID?
 
* What information can be deduced from the structure of the Session ID?
* What portions of the Session ID are static for the same login conditions?
+
* What portions of the Session ID are static for the same log in conditions?
 
* What obvious patterns are present in the Session ID as a whole, or individual portions?
 
* What obvious patterns are present in the Session ID as a whole, or individual portions?
  
===Session ID Predictability and Randomness===
 
  
Analysis of the variable areas (if any) of the Session ID should be undertaken to establish the existence of any recognizable or predictable patterns.
+
====Session ID Predictability and Randomness====
These analysis may be performed manually and with bespoke or OTS statistical or cryptanalytic tools in order to deduce any patterns in the Session ID content.
+
 
Manual checks should include comparisons of Session IDs issued for the same login conditions – e.g., the same username, password, and IP address.  Time is an important factor which must also be controlled.  High numbers of simultaneous connections should be made in order to gather samples in the same time window and keep that variable constant.  Even a quantization of 50ms or less may be too coarse and a sample taken in this way may reveal time-based components that would otherwise be missed.
+
Analysis of the variable areas (if any) of the Session ID should be undertaken to establish the existence of any recognizable or predictable patterns. These analyses may be performed manually and with bespoke or OTS statistical or cryptanalytic tools to deduce any patterns in the Session ID content. Manual checks should include comparisons of Session IDs issued for the same login conditions – e.g., the same username, password, and IP address.   
Variable elements should be analysed over time to determine whether they are incremental in nature.  Where they are incremental, patterns relating to absolute or elapsed time should be investigated.  Many systems use time as a seed for their pseudo random elements.
+
 
Where the patterns are seemingly random, one-way hashes of time or other environmental variations should be considered as a possibility.  Typically, the result of a cryptographic hash is a decimal or hexadecimal number so should be identifiable.
+
 
In analysing Session IDs sequences, patterns or cycles, static elements and client dependencies should all be considered as possible contributing elements to the structure and function of the application.
+
Time is an important factor which must also be controlled.  High numbers of simultaneous connections should be made in order to gather samples in the same time window and keep that variable constant.  Even a quantization of 50ms or less may be too coarse and a sample taken in this way may reveal time-based components that would otherwise be missed.
* Are the Session IDs provably random in nature? I.e., can the resulting values be reproduced?   
+
 
 +
 
 +
Variable elements should be analyzed over time to determine whether they are incremental in nature.  Where they are incremental, patterns relating to absolute or elapsed time should be investigated.  Many systems use time as a seed for their pseudo-random elements. Where the patterns are seemingly random, one-way hashes of time or other environmental variations should be considered as a possibility.  Typically, the result of a cryptographic hash is a decimal or hexadecimal number so should be identifiable.
 +
 
 +
 
 +
In analyzing Session ID sequences, patterns or cycles, static elements and client dependencies should all be considered as possible contributing elements to the structure and function of the application.
 +
* Are the Session IDs provably random in nature? Can the resulting values be reproduced?   
 
* Do the same input conditions produce the same ID on a subsequent run?
 
* Do the same input conditions produce the same ID on a subsequent run?
 
* Are the Session IDs provably resistant to statistical or cryptanalysis?
 
* Are the Session IDs provably resistant to statistical or cryptanalysis?
 
* What elements of the Session IDs are time-linked?
 
* What elements of the Session IDs are time-linked?
 
* What portions of the Session IDs are predictable? 
 
* What portions of the Session IDs are predictable? 
* Can the next ID be deduced even given full knowledge of the generation algorithm and previous IDs?
+
* Can the next ID be deduced, given full knowledge of the generation algorithm and previous IDs?
 +
 
 +
 
 +
====Cookie reverse engineering====
  
===Cookie reverse engineering===
+
Now that the tester has enumerated the cookies and has a general idea of their use, it is time to have a deeper look at cookies that seem interesting. Which cookies is the tester interested in? A cookie, in order to provide a secure method of session management, must combine several characteristics, each of which is aimed at protecting the cookie from a different class of attacks.
  
Now that we have enumerated the cookies and have a general idea of their use, it is time to have a deeper look at cookies that seem interesting. Which cookies are we interested in? A cookie, in order to provide a secure method of session management, must combine several characteristics, each of which is aimed at protecting the cookie from a different class of attacks. These characteristics are summarized below:
+
These characteristics are summarized below:
#Unpredictability: a cookie must contain some amount of hard-to-guess data. The harder it is to forge a valid cookie, the harder is to break into legitimate user's session. If an attacker can guess the cookie used in an active session of a legitimate user, he/she will be able to fully impersonate that user (session hijacking). In order to make a cookie unpredictable, random values and/or cryptography can be used.
+
#Unpredictability: a cookie must contain some amount of hard-to-guess data. The harder it is to forge a valid cookie, the harder is to break into legitimate user's session. If an attacker can guess the cookie used in an active session of a legitimate user, they will be able to fully impersonate that user (session hijacking). In order to make a cookie unpredictable, random values and/or cryptography can be used.
#Tamper resistance: a cookie must resist malicious attempts of modification. If we receive a cookie like  IsAdmin=No, it is trivial to modify it to get administrative rights, unless the application performs a double check (for instance, appending to the cookie an encrypted hash of its value)
+
#Tamper resistance: a cookie must resist malicious attempts of modification. If the tester receives a cookie like  IsAdmin=No, it is trivial to modify it to get administrative rights, unless the application performs a double check (for instance, appending to the cookie an encrypted hash of its value)
#Expiration: a critical cookie must be valid only for an appropriate period of time and must be deleted from disk/memory afterwards, in order to avoid the risk of being replayed. This does not apply to cookies that store non-critical data that needs to be remembered across sessions (e.g., site look-and-feel)
+
#Expiration: a critical cookie must be valid only for an appropriate period of time and must be deleted from the disk or memory afterwards to avoid the risk of being replayed. This does not apply to cookies that store non-critical data that needs to be remembered across sessions (e.g., site look-and-feel).
 
#“Secure” flag: a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping.
 
#“Secure” flag: a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping.
  
The approach here is to collect a sufficient number of instances of a cookie and start looking for patterns in their value. The exact meaning of “sufficient” can vary from a handful of samples, if the cookie generation method is very easy to break, to several thousands, if we need to proceed with some mathematical analysis (e.g., chi-squares, attractors. See later for more information).
 
  
It is important to pay particular attention to the workflow of the application, as the state of a session can have a heavy impact on collected cookies: a cookie collected before being authenticated can be very different from a cookie obtained after the authentication.
+
The approach here is to collect a sufficient number of instances of a cookie and start looking for patterns in their value. The exact meaning of “sufficient” can vary from a handful of samples, if the cookie generation method is very easy to break, to several thousands, if the tester needs to proceed with some mathematical analysis (e.g., chi-squares, attractors. See later for more information).
 +
 
 +
 
 +
It is important to pay particular attention to the workflow of the application, as the state of a session can have a heavy impact on collected cookies. A cookie collected before being authenticated can be very different from a cookie obtained after the authentication.
 +
 
 +
 
 +
Another aspect to keep into consideration is time. Always record the exact time when a cookie has been obtained, when there is the possibility that time plays a role in the value of the cookie (the server could use a time stamp as part of the cookie value). The time recorded could be the local time or the server's time stamp included in the HTTP response (or both).
  
Another aspect to keep into consideration is time: always record the exact time when a cookie has been obtained, when there is the possibility that time plays a role in the value of the cookie (the server could use a timestamp as part of the cookie value). The time recorded could be the local time or the server's timestamp included in the HTTP response (or both).
 
  
Analyzing the collected values, try to figure out all variables that could have influenced the cookie value and try to vary them one at the time. Passing to the server modified versions of the same cookie can be very helpful in understanding how the application reads and processes the cookie.
+
When analyzing the collected values, the tester should try to figure out all variables that could have influenced the cookie value and try to vary them one at the time. Passing to the server modified versions of the same cookie can be very helpful in understanding how the application reads and processes the cookie.
 +
 
  
 
Examples of checks to be performed at this stage include:
 
Examples of checks to be performed at this stage include:
* What character set is used in the cookie ? Has the cookie a numeric value ? Alphanumeric ? Hexadecimal ? What happens if we insert in a cookie characters that do not belong to the expected charset ?
+
* What character set is used in the cookie? Has the cookie a numeric value? alphanumeric? hexadecimal? What happens if the tester inserts in a cookie characters that do not belong to the expected charset?
* Is the cookie composed of different sub-parts carrying different pieces of information ? How are the different parts separated ? With which delimiters ? Some parts of the cookie could have a higher variance, others might be constant, others could assume only a limited set of values. Breaking down the cookie to its base components is the first and fundamental step. An example of an easy-to-spot structured cookie is the following:
+
* Is the cookie composed of different sub-parts carrying different pieces of information? How are the different parts separated? With which delimiters? Some parts of the cookie could have a higher variance, others might be constant, others could assume only a limited set of values. Breaking down the cookie to its base components is the first and fundamental step.  
 +
 
 +
 
 +
An example of an easy-to-spot structured cookie is the following:
  
 
<pre>
 
<pre>
Line 139: Line 159:
 
</pre>
 
</pre>
  
In this example we see 5 different fields, carrying different types of data:
+
 
 +
This example shows 5 different fields, carrying different types of data:
  
 
<pre>
 
<pre>
Line 147: Line 168:
 
S – alphanumeric
 
S – alphanumeric
 
</pre>
 
</pre>
 +
  
 
Even when no delimiters are used, having enough samples can help. As an example, let's look at the following series:
 
Even when no delimiters are used, having enough samples can help. As an example, let's look at the following series:
Line 154: Line 176:
 
</pre>
 
</pre>
  
===Brute Force Attacks===
+
 
Brute force attacks inevitably lead on from questions relating to predictability and randomness.
+
====Brute Force Attacks====
The variance within the Session IDs must be considered together with application session durations and timeouts.  If the variation within the Session IDs is relatively small, and Session ID validity is long, the likelihood of a successful brute-force attack is much higher.
+
Brute force attacks inevitably lead on from questions relating to predictability and randomness. The variance within the Session IDs must be considered together with application session duration and timeouts.  If the variation within the Session IDs is relatively small, and Session ID validity is long, the likelihood of a successful brute-force attack is much higher.
A long session ID (or rather one with a great deal of variance) and a shorter validity period would make it far harder to succeed in a brute force attack.
+
 
 +
 
 +
A long Session ID (or rather one with a great deal of variance) and a shorter validity period would make it far harder to succeed in a brute force attack.
 
* How long would a brute-force attack on all possible Session IDs take?
 
* How long would a brute-force attack on all possible Session IDs take?
* Is the Session ID space large enough to prevent brute forcing? E.g., is the length of the key sufficient when compared to the valid life-span?
+
* Is the Session ID space large enough to prevent brute forcing? For example, is the length of the key sufficient when compared to the valid life-span?
 
* Do delays between connection attempts with different Session IDs mitigate the risk of this attack?
 
* Do delays between connection attempts with different Session IDs mitigate the risk of this attack?
  
== Gray Box testing and example ==  
+
 
If you have access to the session management schema implementation, you can check for the following:
+
=== Gray Box testing and example ===  
 +
If the tester has access to the session management schema implementation, they can check for the following:
 
* Random Session Token
 
* Random Session Token
The sessionID or Cookie issued to the client should not be easily predictable (don't use linear algorithms based on predictable variables such as the  client IP address). The use of cryptographic algorithms with key length of 256 bits is encouraged (like AES).
+
The Session ID or Cookie issued to the client should not be easily predictable (don't use linear algorithms based on predictable variables such as the  client IP address). The use of cryptographic algorithms with key length of 256 bits is encouraged (like AES).
 
* Token length
 
* Token length
SessionID will be at least 50 characters length.
+
Session ID will be at least 50 characters length.
 
* Session Time-out
 
* Session Time-out
 
Session token should have a defined time-out (it depends on the criticality of the application managed data)
 
Session token should have a defined time-out (it depends on the criticality of the application managed data)
Line 174: Line 199:
 
** secure (set only on HTTPS channel):  Set Cookie: cookie=data; path=/; domain=.aaa.it; secure
 
** secure (set only on HTTPS channel):  Set Cookie: cookie=data; path=/; domain=.aaa.it; secure
 
** [[HTTPOnly]] (not readable by a script):  Set Cookie: cookie=data; path=/; domain=.aaa.it; [[HTTPOnly]]
 
** [[HTTPOnly]] (not readable by a script):  Set Cookie: cookie=data; path=/; domain=.aaa.it; [[HTTPOnly]]
More information here: [[Testing_for_cookies_attributes]]
+
 
 +
 
 +
More information here: [[Testing_for_cookies_attributes (OWASP-SM-002)|Testing for cookies attributes]]
 +
 
 +
 
 +
 
 +
==Tools==
 +
* OWASP Zed Attack Proxy Project (ZAP) - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - features a session token analysis mechanism.
 +
* Burp Sequencer - http://www.portswigger.net/suite/sequencer.html
 +
* Foundstone CookieDigger - http://www.mcafee.com/us/downloads/free-tools/cookiedigger.aspx
 +
* YEHG's JHijack - https://www.owasp.org/index.php/JHijack
  
 
==References==
 
==References==
Line 180: Line 215:
 
* RFC 2965 “HTTP State Management Mechanism”
 
* RFC 2965 “HTTP State Management Mechanism”
 
* RFC 1750 “Randomness Recommendations for Security”
 
* RFC 1750 “Randomness Recommendations for Security”
* “Strange Attractors and TCP/IP Sequence Number Analysis”: http://www.bindview.com/Services/Razor/Papers/2001/tcpseq.cfm
+
* Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis" (2001): http://lcamtuf.coredump.cx/oldtcp/tcpseq.html
 +
* Michal Zalewski: "Strange Attractors and TCP/IP Sequence Number Analysis - One Year Later" (2002): http://lcamtuf.coredump.cx/newtcp/
 
* Correlation Coefficient: http://mathworld.wolfram.com/CorrelationCoefficient.html
 
* Correlation Coefficient: http://mathworld.wolfram.com/CorrelationCoefficient.html
 +
* Darrin Barrall: "Automated Cookie Analysis" –  http://www.spidynamics.com/assets/documents/SPIcookies.pdf
 
* ENT: http://fourmilab.ch/random/
 
* ENT: http://fourmilab.ch/random/
 
* http://seclists.org/lists/fulldisclosure/2005/Jun/0188.html
 
* http://seclists.org/lists/fulldisclosure/2005/Jun/0188.html
* Darrin Barrall: "Automated Cookie Analisys" –  http://www.spidynamics.com/assets/documents/SPIcookies.pdf
 
 
* Gunter Ollmann: "Web Based Session Management" - http://www.technicalinfo.net
 
* Gunter Ollmann: "Web Based Session Management" - http://www.technicalinfo.net
* Matteo Meucci:"MMS Spoofing" - www.owasp.org/images/7/72/MMS_Spoofing.ppt  
+
* Matteo Meucci:"MMS Spoofing" - http://www.owasp.org/images/7/72/MMS_Spoofing.ppt  
 +
 
 
<br>
 
<br>
'''Tools'''<br>
+
'''Videos'''<br>
* [[:Category:OWASP WebScarab Project|OWASP's WebScarab]] features a session token analysis mechanism. You can read [[How to test session identifier strength with WebScarab]].
+
* Session Hijacking in Webgoat Lesson - http://yehg.net/lab/pr0js/training/view/owasp/webgoat/WebGoat_SessionMan_SessionHijackingWithJHijack/
* Foundstone CookieDigger - http://www.foundstone.com/resources/proddesc/cookiedigger.htm
+
 
 +
 
 +
==Related Security Activities==
 +
 
 +
===Description of Session Management Vulnerabilities===
 +
 
 +
See the OWASP articles on [[:Category:Session Management Vulnerability|Session Management Vulnerabilities]].
 +
 
 +
 
 +
===Description of Session Management Countermeasures===
 +
 
 +
See the OWASP articles on [[:Category:Session Management|Session Management Countermeasures]].
 +
 
 +
 
 +
===How to Avoid Session Management Vulnerabilities===
 +
 
 +
See the [[:Category:OWASP Guide Project|OWASP Development Guide]] article on how to [[Session Management|Avoid Session Management]] Vulnerabilities.
 +
 
 +
 
 +
===How to Review Code for Session Management| Vulnerabilities===
 +
 
 +
See the [[:Category:OWASP Code Review Project|OWASP Code Review Guide]] article on how to [[Codereview-Session-Management|Review Code for Session Management]] Vulnerabilities.

Latest revision as of 14:09, 31 July 2014

This article is part of the new OWASP Testing Guide v4.
Back to the OWASP Testing Guide v4 ToC: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents Back to the OWASP Testing Guide Project: https://www.owasp.org/index.php/OWASP_Testing_Project

Summary

In order to avoid continuous authentication for each page of a website or service, web applications implement various mechanisms to store and validate credentials for a pre-determined timespan. These mechanisms are known as Session Management and while they are important in order to increase the ease of use and user-friendliness of the application, they can be exploited by a penetration tester to gain access to a user account, without the need to provide correct credentials.


In this test, the tester wants to check that cookies and other session tokens are created in a secure and unpredictable way. An attacker who is able to predict and forge a weak cookie can easily hijack the sessions of legitimate users.


Cookies are used to implement session management and are described in detail in RFC 2965. In a nutshell, when a user accesses an application which needs to keep track of the actions and identity of that user across multiple requests, a cookie (or cookies) is generated by the server and sent to the client. The client will then send the cookie back to the server in all following connections until the cookie expires or is destroyed. The data stored in the cookie can provide to the server a large spectrum of information about who the user is, what actions he has performed so far, what his preferences are, etc. therefore providing a state to a stateless protocol like HTTP.


A typical example is provided by an online shopping cart. Throughout the session of a user, the application must keep track of his identity, his profile, the products that he has chosen to buy, the quantity, the individual prices, the discounts, etc. Cookies are an efficient way to store and pass this information back and forth (other methods are URL parameters and hidden fields).


Due to the importance of the data that they store, cookies are therefore vital in the overall security of the application. Being able to tamper with cookies may result in hijacking the sessions of legitimate users, gaining higher privileges in an active session, and in general influencing the operations of the application in an unauthorized way.

In this test the tester has to check whether the cookies issued to clients can resist a wide range of attacks aimed to interfere with the sessions of legitimate users and with the application itself. The overall goal is to be able to forge a cookie that will be considered valid by the application and that will provide some kind of unauthorized access (session hijacking, privilege escalation, ...).


Usually the main steps of the attack pattern are the following:

  • cookie collection: collection of a sufficient number of cookie samples;
  • cookie reverse engineering: analysis of the cookie generation algorithm;
  • cookie manipulation: forging of a valid cookie in order to perform the attack. This last step might require a large number of attempts, depending on how the cookie is created (cookie brute-force attack).


Another pattern of attack consists of overflowing a cookie. Strictly speaking, this attack has a different nature, since here testers are not trying to recreate a perfectly valid cookie. Instead, the goal is to overflow a memory area, thereby interfering with the correct behavior of the application and possibly injecting (and remotely executing) malicious code.

How to Test

Black Box Testing and Examples

All interaction between the client and application should be tested at least against the following criteria:

  • Are all Set-Cookie directives tagged as Secure?
  • Do any Cookie operations take place over unencrypted transport?
  • Can the Cookie be forced over unencrypted transport?
  • If so, how does the application maintain security?
  • Are any Cookies persistent?
  • What Expires= times are used on persistent cookies, and are they reasonable?
  • Are cookies that are expected to be transient configured as such?
  • What HTTP/1.1 Cache-Control settings are used to protect Cookies?
  • What HTTP/1.0 Cache-Control settings are used to protect Cookies?


Cookie collection

The first step required to manipulate the cookie is to understand how the application creates and manages cookies. For this task, testers have to try to answer the following questions:

  • How many cookies are used by the application?

Surf the application. Note when cookies are created. Make a list of received cookies, the page that sets them (with the set-cookie directive), the domain for which they are valid, their value, and their characteristics.

  • Which parts of the the application generate and/or modify the cookie?

Surfing the application, find which cookies remain constant and which get modified. What events modify the cookie?

  • Which parts of the application require this cookie in order to be accessed and utilized?

Find out which parts of the application need a cookie. Access a page, then try again without the cookie, or with a modified value of it. Try to map which cookies are used where.


A spreadsheet mapping each cookie to the corresponding application parts and the related information can be a valuable output of this phase.


Session Analysis

The session tokens (Cookie, SessionID or Hidden Field) themselves should be examined to ensure their quality from a security perspective. They should be tested against criteria such as their randomness, uniqueness, resistance to statistical and cryptographic analysis and information leakage.


  • Token Structure & Information Leakage

The first stage is to examine the structure and content of a Session ID provided by the application. A common mistake is to include specific data in the Token instead of issuing a generic value and referencing real data at the server side.


If the Session ID is clear-text, the structure and pertinent data may be immediately obvious as the following:

192.168.100.1:owaspuser:password:15:58


If part or the entire token appears to be encoded or hashed, it should be compared to various techniques to check for obvious obfuscation. For example the string “192.168.100.1:owaspuser:password:15:58” is represented in Hex, Base64 and as an MD5 hash:

Hex	3139322E3136382E3130302E313A6F77617370757365723A70617373776F72643A31353A3538
Base64	MTkyLjE2OC4xMDAuMTpvd2FzcHVzZXI6cGFzc3dvcmQ6MTU6NTg=
MD5	01c2fc4f0a817afd8366689bd29dd40a


Having identified the type of obfuscation, it may be possible to decode back to the original data. In most cases, however, this is unlikely. Even so, it may be useful to enumerate the encoding in place from the format of the message. Furthermore, if both the format and obfuscation technique can be deduced, automated brute-force attacks could be devised.


Hybrid tokens may include information such as IP address or User ID together with an encoded portion, as the following:

owaspuser:192.168.100.1: a7656fafe94dae72b1e1487670148412


Having analyzed a single session token, the representative sample should be examined. A simple analysis of the tokens should immediately reveal any obvious patterns. For example, a 32 bit token may include 16 bits of static data and 16 bits of variable data. This may indicate that the first 16 bits represent a fixed attribute of the user – e.g. the username or IP address. If the second 16 bit chunk is incrementing at a regular rate, it may indicate a sequential or even time-based element to the token generation. See examples.


If static elements to the Tokens are identified, further samples should be gathered, varying one potential input element at a time. For example, log in attempts through a different user account or from a different IP address may yield a variance in the previously static portion of the session token.


The following areas should be addressed during the single and multiple Session ID structure testing:

  • What parts of the Session ID are static?
  • What clear-text confidential information is stored in the Session ID? E.g. usernames/UID, IP addresses
  • What easily decoded confidential information is stored?
  • What information can be deduced from the structure of the Session ID?
  • What portions of the Session ID are static for the same log in conditions?
  • What obvious patterns are present in the Session ID as a whole, or individual portions?


Session ID Predictability and Randomness

Analysis of the variable areas (if any) of the Session ID should be undertaken to establish the existence of any recognizable or predictable patterns. These analyses may be performed manually and with bespoke or OTS statistical or cryptanalytic tools to deduce any patterns in the Session ID content. Manual checks should include comparisons of Session IDs issued for the same login conditions – e.g., the same username, password, and IP address.


Time is an important factor which must also be controlled. High numbers of simultaneous connections should be made in order to gather samples in the same time window and keep that variable constant. Even a quantization of 50ms or less may be too coarse and a sample taken in this way may reveal time-based components that would otherwise be missed.


Variable elements should be analyzed over time to determine whether they are incremental in nature. Where they are incremental, patterns relating to absolute or elapsed time should be investigated. Many systems use time as a seed for their pseudo-random elements. Where the patterns are seemingly random, one-way hashes of time or other environmental variations should be considered as a possibility. Typically, the result of a cryptographic hash is a decimal or hexadecimal number so should be identifiable.


In analyzing Session ID sequences, patterns or cycles, static elements and client dependencies should all be considered as possible contributing elements to the structure and function of the application.

  • Are the Session IDs provably random in nature? Can the resulting values be reproduced?
  • Do the same input conditions produce the same ID on a subsequent run?
  • Are the Session IDs provably resistant to statistical or cryptanalysis?
  • What elements of the Session IDs are time-linked?
  • What portions of the Session IDs are predictable?
  • Can the next ID be deduced, given full knowledge of the generation algorithm and previous IDs?


Cookie reverse engineering

Now that the tester has enumerated the cookies and has a general idea of their use, it is time to have a deeper look at cookies that seem interesting. Which cookies is the tester interested in? A cookie, in order to provide a secure method of session management, must combine several characteristics, each of which is aimed at protecting the cookie from a different class of attacks.

These characteristics are summarized below:

  1. Unpredictability: a cookie must contain some amount of hard-to-guess data. The harder it is to forge a valid cookie, the harder is to break into legitimate user's session. If an attacker can guess the cookie used in an active session of a legitimate user, they will be able to fully impersonate that user (session hijacking). In order to make a cookie unpredictable, random values and/or cryptography can be used.
  2. Tamper resistance: a cookie must resist malicious attempts of modification. If the tester receives a cookie like IsAdmin=No, it is trivial to modify it to get administrative rights, unless the application performs a double check (for instance, appending to the cookie an encrypted hash of its value)
  3. Expiration: a critical cookie must be valid only for an appropriate period of time and must be deleted from the disk or memory afterwards to avoid the risk of being replayed. This does not apply to cookies that store non-critical data that needs to be remembered across sessions (e.g., site look-and-feel).
  4. “Secure” flag: a cookie whose value is critical for the integrity of the session should have this flag enabled in order to allow its transmission only in an encrypted channel to deter eavesdropping.


The approach here is to collect a sufficient number of instances of a cookie and start looking for patterns in their value. The exact meaning of “sufficient” can vary from a handful of samples, if the cookie generation method is very easy to break, to several thousands, if the tester needs to proceed with some mathematical analysis (e.g., chi-squares, attractors. See later for more information).


It is important to pay particular attention to the workflow of the application, as the state of a session can have a heavy impact on collected cookies. A cookie collected before being authenticated can be very different from a cookie obtained after the authentication.


Another aspect to keep into consideration is time. Always record the exact time when a cookie has been obtained, when there is the possibility that time plays a role in the value of the cookie (the server could use a time stamp as part of the cookie value). The time recorded could be the local time or the server's time stamp included in the HTTP response (or both).


When analyzing the collected values, the tester should try to figure out all variables that could have influenced the cookie value and try to vary them one at the time. Passing to the server modified versions of the same cookie can be very helpful in understanding how the application reads and processes the cookie.


Examples of checks to be performed at this stage include:

  • What character set is used in the cookie? Has the cookie a numeric value? alphanumeric? hexadecimal? What happens if the tester inserts in a cookie characters that do not belong to the expected charset?
  • Is the cookie composed of different sub-parts carrying different pieces of information? How are the different parts separated? With which delimiters? Some parts of the cookie could have a higher variance, others might be constant, others could assume only a limited set of values. Breaking down the cookie to its base components is the first and fundamental step.


An example of an easy-to-spot structured cookie is the following:

ID=5a0acfc7ffeb919:CR=1:TM=1120514521:LM=1120514521:S=j3am5KzC4v01ba3q


This example shows 5 different fields, carrying different types of data:

ID – hexadecimal
CR – small integer
TM and LM – large integer. (And curiously they hold the same value. Worth to see what happens modifying one of them)
S – alphanumeric


Even when no delimiters are used, having enough samples can help. As an example, let's look at the following series:

0123456789abcdef


Brute Force Attacks

Brute force attacks inevitably lead on from questions relating to predictability and randomness. The variance within the Session IDs must be considered together with application session duration and timeouts. If the variation within the Session IDs is relatively small, and Session ID validity is long, the likelihood of a successful brute-force attack is much higher.


A long Session ID (or rather one with a great deal of variance) and a shorter validity period would make it far harder to succeed in a brute force attack.

  • How long would a brute-force attack on all possible Session IDs take?
  • Is the Session ID space large enough to prevent brute forcing? For example, is the length of the key sufficient when compared to the valid life-span?
  • Do delays between connection attempts with different Session IDs mitigate the risk of this attack?


Gray Box testing and example

If the tester has access to the session management schema implementation, they can check for the following:

  • Random Session Token

The Session ID or Cookie issued to the client should not be easily predictable (don't use linear algorithms based on predictable variables such as the client IP address). The use of cryptographic algorithms with key length of 256 bits is encouraged (like AES).

  • Token length

Session ID will be at least 50 characters length.

  • Session Time-out

Session token should have a defined time-out (it depends on the criticality of the application managed data)

  • Cookie configuration:
    • non-persistent: only RAM memory
    • secure (set only on HTTPS channel): Set Cookie: cookie=data; path=/; domain=.aaa.it; secure
    • HTTPOnly (not readable by a script): Set Cookie: cookie=data; path=/; domain=.aaa.it; HTTPOnly


More information here: Testing for cookies attributes


Tools

References

Whitepapers


Videos


Related Security Activities

Description of Session Management Vulnerabilities

See the OWASP articles on Session Management Vulnerabilities.


Description of Session Management Countermeasures

See the OWASP articles on Session Management Countermeasures.


How to Avoid Session Management Vulnerabilities

See the OWASP Development Guide article on how to Avoid Session Management Vulnerabilities.


How to Review Code for Session Management| Vulnerabilities

See the OWASP Code Review Guide article on how to Review Code for Session Management Vulnerabilities.